Thanks for the document. That document states " HTTP over secure socket layer (HTTPS) and File Transfer Protocol (FTP) URL filtering are not currently supported. That's why it doesn't work on https://www.facebook.com.

I tend to block sites by running an internal DNS server and creating a zone for each domain I wish to block. Create an A record in the zone file redirecting the domain to some non-responding address or set up a single page web server that displays an "Unauthorized Site" message.

You can also apply ACLs to your Private policy-class that you can put ahead of your NAT statement. The ACL may not work as well as the built-in URL filtering, but it does allow for hostnames as destinations. It does not allow wildcards, so you will have to put in all of the hostnames. Here is an example for blocking facebook, but you can put as many entries as you like in there. I hope this helps: